krb5_kdc_verify_ticket - Verify a PAC, possibly including ticket signature.¶
-
krb5_error_code krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part *enc_tkt, krb5_const_principal server_princ, const krb5_keyblock *server, const krb5_keyblock *privsvr, krb5_pac *pac_out)¶
- param
[in] context - Library context
[in] enc_tkt - Ticket enc-part, possibly containing a PAC
[in] server_princ - Canonicalized name of ticket server
[in] server - Key to validate server checksum (or NULL)
[in] privsvr - Key to validate KDC checksum (or NULL)
[out] pac_out - Verified PAC (NULL if no PAC included)
- retval
0 Success; otherwise - Kerberos error codes
If a PAC is present in enc_tkt , verify its signatures. If privsvr is not NULL and server_princ is not a krbtgt or kadmin/changepw service, require a ticket signature over enc_tkt in addition to the KDC signature. Place the verified PAC in pac_out . If an invalid PAC signature is found, return an error matching the Windows KDC protocol code for that condition as closely as possible.
If no PAC is present in enc_tkt , set pac_out to NULL and return successfully.
Note
This function does not validate the PAC_CLIENT_INFO buffer. If a specific value is expected, the caller can make a separate call to krb5_pac_verify_ext() with a principal but no keys.
Note
New in 1.20